First Look – TrustMAPP

TrustMAPP is not a GRC (Governance, Risk and Compliance) product but it functions much like a GRC tool. It simply does it in a unique and novel way. While GRC is not the goal, users of traditional GRC tools will feel right at home with TrustMAPP and the end results will the sort of thing you would expect from a competent GRC deployment with one major difference. We have said many times that compliance does not equal security but if you are secure you probably are – with a bit of extra documentation – compliant. That is true of TrustMAPP. Its job is helping you be as secure as you can be. You get compliance and governance as a sort of “free gift.”

The reason for this apparent role reversal is that TrustMAPP is a maturity tool. Its aim is to improve your security maturity. Since it thinks in terms of compliance as well as security that “bit of extra documentation” is included. The big difference is not just marketing. It’s a genuine benefit: the MAPP process. MAPP is Maturity Assessment Profile and Plan. Rather than focus just upon a mix of policies and level of compliance, TrustMAPP focuses on Key Performance Indicators.

The tool uses sophisticated analytics to analyze the results of detailed assessment surveys that translate controls into business practices. It is not enough to know “what.” One also must know “how” if one is to achieve security maturity. The “Profile” part of the tools/process translates the output of the analytics into a set of insights that allows management, administrators and security analysts to transform the existing security ecosystem into its next level of maturity. It does this through the Planning phase where a detailed roadmap to maturity is generated.

All of that said, in many regards this one looks and feels rather “old school.” The menus and dashboards are what we would expect from an older tool and there really is no hint of what we define as a next-generation tool. It does integrate with third-party ticketing systems. We dropped into the first dashboard and were fairly unexcited. We are not fans of gathering data through surveys because people ignore them or blow them off with minimal effort applied to collecting answers. That’s the – apparently – bad news.

The great news is that Secure Digital Solutions – the developer of TrustMAPP – clearly has thought about all of that. Without doing anything to make the tool – on the surface – appear more complicated than users can tolerate, it has kept a comfortable, familiar look and feel while doing a lot of work under the covers and drawing the user subtly along through the maturity process. The underlying analytics take user laziness into account through a very sophisticated survey analysis process that ensures consistency and accuracy. The roadmap takes the user by the hand and leads him or her through the maturing process and the reporting gives executives and auditors exactly what they need for the tasks that they must do.

That major difference we alluded to in the beginning of this review? TrustMAPP is strategic rather than tactical or operational. The strategy roadmap feeds those other tools that provide tactical and operational support. And, for users, it feels like an old friend, completely non-threatening as the user works through the complications of being both secure and compliant.

The bottom line: This will not, nor should it, replace your GRC tool. The purpose of TrustMAPP is to enable the evolution of an information security maturity program that is comprehensive, well-matched to your environment, and achievable, to make your organization both secure and compliant.